How effective is antivirus software on smartphones?

Patrick Lambert looks at the limited usefulness of smartphone antivirus apps. Should you bother with it?

In our world of corporate security where the threats are constant, most IT pros and administrators would not consider giving a computer to an employee without locking it down. Login systems, antivirus, network protection, and more provide a security-in-depth approach that is the norm for corporate life. Antivirus companies provide extensive suites to secure computers, networks, servers and more, with a central point of control. But what about smartphones? As iPhone and Android devices have become more and more popular, employees no longer consider their company-issued or BYOD phones to be just a communication device. Now, they use that phone to read email attachments, download documents, and even VPN inside the corporate firewall. So it's no wonder that we often hear of the potential for security problems. Is it time to install antivirus software on smartphones?

Before being able to answer this question, it's important to understand how modern smartphones work, and how the model is different than a typical computer. On a normal system, a program has the ability to access all system resources. All the unprotected RAM, hard drive content, and more can be read, unless it's specifically locked down. So if an employee downloads a malicious software, either because they were tricked, or they went to a web page using a browser that wasn't fully patched yet, then that software can read keystrokes, scan the hard drive for useful file types, and then send that back through the network. Recent versions like Windows Vista and 7 have UAC which helps mitigate it, but we all know it doesn't stop everything.

Modern smartphones like iOS and Android don't work like that. Instead, each app is given its own work environment, and is unable to access other apps' data. Think of it like if you were to run every single application in its own VM. This, by itself, is a huge security improvement, and means that no malicious software can do much harm by simply being installed. Then, at least in the case of iOS, there's the additional benefit that any app must be downloaded from the App Store, and is vetted against potential problems. In the case of Android, Google introduced "Bouncer" to help scan for problem apps, but it's not foolproof.

So right away, the potential for trouble from a single app is fairly limited. But it also means that there's not much an antivirus could do either. Any antivirus software you install on a phone would not be able to scan any other app, or any data used by those apps. There is antivirus software out there for iOS and Android, but unless you jailbreak or root your device, their abilities are limited. For example, VirusBarrier is a $2.99 iOS antivirus available in the App Store. But it doesn't actively scan anything, because it can't. Instead, if you want to scan an email attachment, you have to send it off to the app from within mail. This makes the process fairly annoying, and is of minimal use. On Android there are more active scanners such as Avast! Mobile Security, where you can set up daily or weekly scans, but again, some of its functions only work on rooted phones. Besides, right now there hasn't been any real virus on modern smartphones. Instead, the threat is usually different. What we've seen are apps that can read and transmit information from the phone. There have been cases where rogue Android apps managed to get into the Market and would read all your contacts, sending them off to a third-party. Other apps would start sending SMS messages to a foreign address in the hope to raise your bill. So far, we haven't seen much malware that would somehow manage to read confidential data from other apps; however, they're always evolving, as in this report, "Remote-controlled Android malware stealing banking credentials" by ZDNet's Ryan Naraine.

So what exactly should you do when it comes to phone security? There are many functions you can turn on, such as having a lock screen, making sure the device is erased if someone tries to guess the passcode after a certain number of attempts, and having the ability to track and remotely erase devices. All of these features are now available on any modern platform, and are the kind of things any IT administrator can implement.

Now, we're starting to see corporate security suites implement various smartphone-related features as well. For example, if someone VPNs into the network using a smartphone, the model can be checked to see that it supports security features, or otherwise blocked. So right now my recommendation is to not worry about trying to get antivirus software to run on the phones themselves. Not only is it barely effective, but like any background process, it takes up valuable battery life and resources. Instead, if you have very sensitive documents, don't allow them to be used on a Smartphone, implement the already-existing security features that come with any good smartphone, and you'll be in good shape.

About Patrick Lambert

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

Full Bio

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news community TideArt. He's always at the forefront of the latest happening in the world of technology. You can find
him online at http://dendory.net or on Twitter at @dendory.

Thanks for info, author. I am happy to know we continue to have a wide variety of mobile security apps to choose from. At the moment, I am using AVG's mobile security apps.
http://www.avg.com/antivirus-for-android
It seems cool. I have not noticed any slowdown. It scans automatically every app I install, plus few other great functionalities. I will be happy to try out other options though, if need be. Information well appreciated.

In the internet market there are many mobile security for smartphones , For my android smartphone i have choosen the [url=https://m.comodo.com/]mobile security[/url] called comodo mobile security which as the best privacy , and security options

The antivirus software is very important for smartphone as it protect it from all sorts of virus attacks. I completely trust the antivirus for smartphone as i myself use it and have never faced any virus attacks. I use Immunet smartphone antivirus software and i am always away from any and every virus attacks.

Incredible optimistic story.
If Apps can only access their own work environment, then how come the Official Twitter App can just copy my entire address book onto their servers?
And under a PC OS (Windows, Linux, Mac OS X), RAM is not freely accessible at all. Each application is given its own area by the OS. It can only access the RAM through the OS.
The Chrome Browser also restricts access to other parts of the system.

Authorwfi I agree with you I could not believe what I was reading I am only learning security and it did not ring true, I don't trust cell phones on my network I know it comming, also I have AV on my Droid gave it full permissions it scans all app I have (that's not many ) alo I have no info on phones

Could you take a look at Tim Wyatt's 4/3 post on the Lookout blog and explain how "right now there hasn???t been any real virus on modern smartphones"? The malware variant Wyatt describes uses a malformed JPEG to gain root access to the OS, then downloads and installs a payload app. Is this not virus behavior? Or maybe you don't consider Android prior to 2.3.4 to be a "modern" smartphone OS?

I believe your right about iOS. But on Android you dont need root to let AV scan apps (an AV can be granted higher permissions, if I??m not mistaken). The AV that I??m using is scanning apps on installation. And yes, there are several viruses for Android. And despite sandboxing - as long as Google Play supports the "good app gone bad" model we still need AV. I favour Android myself, and believe the best protection is reading and understanding app permissions.
I??m not that familiar with iOS. The beigger risks as I see it are iOS users that believe it??s a secure environment, and Apple not revealing vulnerabilities.

While Mr. Lambert makes some valid points about how modern phone operating systems are more secure than their traditional desktop counterparts are, he glosses over some very important facts and in doing so draws some incorrect conclusions about the effectiveness of and the need for antivirus on your mobile phone. I'd like to touch on a few things Mr. Lambert claims, starting with: "...each app is given its own work environment, and is unable to access other apps data...This, by itself, is a huge security improvement, and means that no malicious software can do much harm by simply being installed."
The statement that scares me is his claim that apps cannot access other apps data, and therefore malicious software can do little harm by simply being installed. This is incorrect on a number of levels, and the fact that this was published by a journalist on a major, well-respected blog in a forum on security no less, really shows the lack of understanding of the mobile space by traditional IT professionals and its potential impact on the enterprise. I would go so far as to say that it is this kind of lack in technical depth and expertise in this new frontier that makes mobile antivirus a must and the potential for danger so high.
Yes, by design Android and iOS force 3rd party apps only to run in and interact with data in their own process space. This is called sandboxing and is in fact a huge step forward over a traditional desktop OS when it comes to preventing viruses and attacks. However, in reality there are still threats, and while not as many as occur on the desktop, the fact of the matter is these threats are often more dangerous, because the system tends to operate under the assumption that it is immune from any ill-will.
At least on Android ANY app can get a list of all other packages installed on the phone. Apps can also "subscribe" to system events, such as "hey a new app was just installed". Mobile security apps use this event to initiate a scan and profile of an app whenever the installer is invoked, whether the app comes from Google's official market or is side-loaded.
Again I'm speaking about Android specifically here but there is also a necessary and sometimes misused OS mechanism called an Intent Receiver. An exploit of this particular mechanism and a serious permissions problem was uncovered right here in this forum a number of months ago (http://www.techrepublic.com/blog/security/androids-permission-system-does-it-really-work/6322). Apps advertise "intents" available to other apps and this gives the apps a way to interact with one another.
On top of this both Android and iOS have space for global data storage, so again there is some potential for doing damage and cross pollination here. I'm not saying that viruses are rampant on smart phones--they aren't. But that doesn't mean its okay to be lackadaisical and just hope one doesn't take hold. Especially when perfectly good tools like Lookout (http://www.techrepublic.com/blog/smartphones/lookout-provides-security-and-anti-virus-for-your-android-phone/3335?tag=content;siu-container) can be obtained at no charge.
The second and even more alarming claim made in this article is: "So right away, the potential for trouble from a single app is fairly limited. But it also means that theres not much an antivirus could do either. Any antivirus software you install on a phone would not be able to scan any other app, or any data used by those apps."
As I already stated, antivirus packages on a mobile phone can and do scan other apps. Not on a byte-by-byte basis like a traditional OS antivirus does, but rather at a package level, where it looks for signatures of known threats, as well as repackaged threats, examines permissions, and can if needed review exposed intents. And while a virus on your phone may not be able to get into another application's sandbox (generally as there cases where even this safeguard has been circumvented), it most certainly can wreak havoc across your shared data store, this usually includes your photos, videos, etc. And unlike your traditional desktop malware, a threat on your phone could do things like sms message all your photos to all your contacts. If that's not a security issue, I don't know what is.
When a threat is detected, as Mr. Lambert pointed out mobile antivirus cannot simply uninstall the infected application. What he failed to mention though is that through the use of the intents we talked about earlier, antivirus can and does launch the uninstaller with the parameter of the offending application. So yes, technically it is the OS uninstaller and not the antivirus process that is doing the threat removal. But let's be honest does that make difference? The antivirus is still catching the threat and initiating the action that gets it off your phone. In my mind, that's a check in the "it works" column.
Perhaps the most perplexing statement to me in the article is the single sentence: " There is antivirus software out there for iOS and Android, but unless you jailbreak or root your device, their abilities are limited." Honestly I can't help but think Mr. Lambert has never actually done a jailbreak (or root in the case of Android), on one of his phones. If he had, he would know that the this is often accomplished by downloading a jailbreak app!
I hope I'm not the only reader to see the irony here. Mr. Lambert points out that when a phone is rooted, there is then a potential for serious damage. Yet he says not to worry as long as you don't root the phone, ignoring the fact that you often get the phone into a rooted state by running an app. So if you could simply download an app that roots your phone intentionally, why then would he think it was inconceivable for someone to unintentionally download an app that rooted the device? Because bad guys always label viruses as such before submitting them to the market? It doesn't take a great leap of logic to conclude that smart phone malware can and periodically does jailbreak the device unknowingly to the user.
Again, I'm not trying to say that the sky is falling, that smart phones are not safe, and that you should never allow a smart phone to be on your company infrastructure. In fact I'm agreeing with Mr. Lambert that modern smart phone operating systems tend to be significantly more secure than their desktop brothers and sisters. That said, Mr. Lambert proves here that in many cases smart phones operating systems are significantly misunderstood, even by professionals in the industry. Installing antivirus on your phone is one measure you can take to help protect yourself against both malware, and the massive amounts of misinformation out there. Most antivirus packages for smart phones offer a free version for personal use and it only takes a few minutes to set it up. Am I the only one who disagrees with Mr. Lamberts conclusion that installing antivirus on my phone is not worth the effort?